Expect will be used to automate the ACL update process discussed later in this whitepaper.
After installation, run “teapot.ext install Expect” (case sensitive) to install the expect package. If you are running a 64bit OS, download and install the 32bit version, the next step will only work with the 32bit version of ActiveState Tclī. ActiveState Tcl Community Version – free download Ī. If you are more comfortable using this technique to block TOR traffic using a Linux box then go for it.ġ. You Linux users might/will be familiar with several of these programs that have been ported over to Windows. We are a Cisco shop but the same principles can be applied to Linux iptables, other router and firewall manufacturers. There are several ways to attack this problem, either create and update router ACL’s (access control list) or our main firewall ACL’s.įor the sake of simplicity for our particular network environment, I chose to work with our main Internet router ACL’s. The TOR client creates its own self-signed SSL certificate using a random common name (domain name) that changes after approximately every 30 minutes.Īfter going around and around with this scenario without success, I decided to try and block access to the TOR exit nodes from our network. Once the initial connection is made, the traffic primarily uses TCP/443 (HTTPS/SSL/TLS) with the traffic payload being encrypted. In a nutshell, from my packet captures with Wireshark, tcpdump, and other programs, initially connects via TCP port 9001, then tries TCP port 9090, then starts “port hopping” (jumping from TCP port to port) to make an initial connection with a TOR exit node. I am a network administrator and have been tasked with making sure that our network is in compliance with our school district’s AUP’s, CIPA, etc. This How-To is not about what is right and what is wrong about content filtering and censorship. In order to be in compliance with CIPA and other regulations we have Internet monitoring, traffic shaping and content filters in place. We have in place AUP’s (Acceptable Use Policies) that outline what is acceptable, what is not and the consequences that may occur for violation of these policies. With the “sugar” comes a bit of “vinegar”, our Internet usage must comply with CIPA (Child Internet Protection Act) and several other regulatory guidelines or we risk losing the federal subsidized funding for our Internet access and transit.
I am employed by a K-12 educational school district located in Texas and our Internet access (including transit charges) are subsidized via the E-Rate program. First for some background on our situation and the usage of TOR: